From 5a4b4b9346894d125e9cb99b13ed73cfc0be48a7 Mon Sep 17 00:00:00 2001
From: Pradipta Banerjee <pradipta.banerjee@gmail.com>
Date: Mon, 27 Nov 2023 16:40:34 +0530
Subject: [PATCH] podvm: Provide an example Open Policy Agent (opa) addon

This commit adds an example opa addon to support kata agent policy
that can be included in the packer built podvm image

Signed-off-by: Pradipta Banerjee <pradipta.banerjee@gmail.com>
---
 podvm/addons/opa/README.md                    |  6 +++
 .../opa/allow-all-except-exec-process.rego    | 39 +++++++++++++++++++
 podvm/addons/opa/allow-all.rego               | 38 ++++++++++++++++++
 podvm/addons/opa/kata-opa.service             | 32 +++++++++++++++
 podvm/addons/opa/setup.sh                     | 34 ++++++++++++++++
 5 files changed, 149 insertions(+)
 create mode 100644 podvm/addons/opa/README.md
 create mode 100644 podvm/addons/opa/allow-all-except-exec-process.rego
 create mode 100644 podvm/addons/opa/allow-all.rego
 create mode 100644 podvm/addons/opa/kata-opa.service
 create mode 100755 podvm/addons/opa/setup.sh

diff --git a/podvm/addons/opa/README.md b/podvm/addons/opa/README.md
new file mode 100644
index 0000000000..d6c639a590
--- /dev/null
+++ b/podvm/addons/opa/README.md
@@ -0,0 +1,6 @@
+## Introduction
+
+This is a skeleton addon
+
+To enable an addon, create a file `.enable` in the current addon directory as 
+well as in the top-level `podvm/addons` dir.
diff --git a/podvm/addons/opa/allow-all-except-exec-process.rego b/podvm/addons/opa/allow-all-except-exec-process.rego
new file mode 100644
index 0000000000..ec3bf15a9e
--- /dev/null
+++ b/podvm/addons/opa/allow-all-except-exec-process.rego
@@ -0,0 +1,39 @@
+package agent_policy
+
+default AddARPNeighborsRequest := true
+default AddSwapRequest := true
+default CloseStdinRequest := true
+default CopyFileRequest := true
+default CreateContainerRequest := true
+default CreateSandboxRequest := true
+default DestroySandboxRequest := true
+default GetMetricsRequest := true
+default GetOOMEventRequest := true
+default GuestDetailsRequest := true
+default ListInterfacesRequest := true
+default ListRoutesRequest := true
+default MemHotplugByProbeRequest := true
+default OnlineCPUMemRequest := true
+default PauseContainerRequest := true
+default PullImageRequest := true
+default ReadStreamRequest := true
+default RemoveContainerRequest := true
+default RemoveStaleVirtiofsShareMountsRequest := true
+default ReseedRandomDevRequest := true
+default ResumeContainerRequest := true
+default SetGuestDateTimeRequest := true
+default SetPolicyRequest := true
+default SignalProcessRequest := true
+default StartContainerRequest := true
+default StartTracingRequest := true
+default StatsContainerRequest := true
+default StopTracingRequest := true
+default TtyWinResizeRequest := true
+default UpdateContainerRequest := true
+default UpdateEphemeralMountsRequest := true
+default UpdateInterfaceRequest := true
+default UpdateRoutesRequest := true
+default WaitProcessRequest := true
+default WriteStreamRequest := true
+
+default ExecProcessRequest := false
diff --git a/podvm/addons/opa/allow-all.rego b/podvm/addons/opa/allow-all.rego
new file mode 100644
index 0000000000..7ac8134f03
--- /dev/null
+++ b/podvm/addons/opa/allow-all.rego
@@ -0,0 +1,38 @@
+package agent_policy
+
+default AddARPNeighborsRequest := true
+default AddSwapRequest := true
+default CloseStdinRequest := true
+default CopyFileRequest := true
+default CreateContainerRequest := true
+default CreateSandboxRequest := true
+default DestroySandboxRequest := true
+default ExecProcessRequest := true
+default GetMetricsRequest := true
+default GetOOMEventRequest := true
+default GuestDetailsRequest := true
+default ListInterfacesRequest := true
+default ListRoutesRequest := true
+default MemHotplugByProbeRequest := true
+default OnlineCPUMemRequest := true
+default PauseContainerRequest := true
+default PullImageRequest := true
+default ReadStreamRequest := true
+default RemoveContainerRequest := true
+default RemoveStaleVirtiofsShareMountsRequest := true
+default ReseedRandomDevRequest := true
+default ResumeContainerRequest := true
+default SetGuestDateTimeRequest := true
+default SetPolicyRequest := true
+default SignalProcessRequest := true
+default StartContainerRequest := true
+default StartTracingRequest := true
+default StatsContainerRequest := true
+default StopTracingRequest := true
+default TtyWinResizeRequest := true
+default UpdateContainerRequest := true
+default UpdateEphemeralMountsRequest := true
+default UpdateInterfaceRequest := true
+default UpdateRoutesRequest := true
+default WaitProcessRequest := true
+default WriteStreamRequest := true
diff --git a/podvm/addons/opa/kata-opa.service b/podvm/addons/opa/kata-opa.service
new file mode 100644
index 0000000000..3aaa5f0b3a
--- /dev/null
+++ b/podvm/addons/opa/kata-opa.service
@@ -0,0 +1,32 @@
+#
+# Copyright (c) 2023 Microsoft Corporation
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+
+[Unit]
+Description=Open Policy Agent for Kata Containers
+Documentation=https://github.com/kata-containers
+ConditionPathExists=/etc/kata-opa/default-policy.rego
+
+# kata-agent connects to OPA while starting up.
+Before=kata-agent.service
+
+[Service]
+Type=simple
+ExecStart=/usr/local/bin/opa run --server --disable-telemetry --addr 127.0.0.1:8181 --log-level info
+DynamicUser=yes
+RuntimeDirectory=kata-opa
+LimitNOFILE=1048576
+
+# Don't restart because there may be an active policy that would be lost.
+Restart=no
+
+# Send log output to tty to allow capturing debug logs from a VM vsock port.
+StandardError=tty
+
+# Discourage OOM-killer from touching the policy service.
+OOMScoreAdjust=-997
+
+[Install]
+WantedBy=multi-user.target
diff --git a/podvm/addons/opa/setup.sh b/podvm/addons/opa/setup.sh
new file mode 100755
index 0000000000..505f438542
--- /dev/null
+++ b/podvm/addons/opa/setup.sh
@@ -0,0 +1,34 @@
+#!/bin/bash
+
+
+#This is the dir in the pod vm image during build
+ADDONS_DIR="/tmp/addons"
+
+
+# Copy policy file
+mkdir -p /etc/kata-opa
+
+cp ${ADDONS_DIR}/opa/allow-all.rego /etc/kata-opa
+cp ${ADDONS_DIR}/opa/allow-all-except-exec-process.rego /etc/kata-opa
+
+# Create default rego policy
+ln -s /etc/kata-opa/allow-all.rego /etc/kata-opa/default-policy.rego
+
+
+# Create service file
+
+cp ${ADDONS_DIR}/opa/kata-opa.service /etc/systemd/system/kata-opa.service
+
+systemctl enable kata-opa.service
+
+# PODVM_DISTRO variable is set as part of the podvm image build process
+# and available inside the packer VM
+if  [[ "$PODVM_DISTRO" == "ubuntu" ]] || [[ "$PODVM_DISTRO" == "rhel" ]]; then
+	# Copy opa binary in /usr/local/bin
+	curl -L -o opa https://openpolicyagent.org/downloads/v0.58.0/opa_linux_amd64_static
+	install -D -o root -g root -m 0755 opa -T /usr/local/bin/opa
+
+fi
+
+
+